Bug 107052

Summary: crashes when accessing a link on viewable website
Product: [Applications] konqueror Reporter: Gerry Gavigan <gerrysw11>
Component: khtml rendererAssignee: Maksim Orlovich <maksim>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version First Reported In: 3.4.1   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Proposed fix
better patch - WC merge

Description Gerry Gavigan 2005-06-08 18:40:16 UTC 
Version:           3.4.1 (using KDE KDE 3.4.1)
Installed from:    SuSE RPMs
OS:                Linux

www.cbi.org.uk - tried to access link from left hand side of page - backtrace below



KCrash handler]
#7  0x41e534d4 in khtml::RenderImage::notifyFinished ()
   from /opt/kde3/lib/libkhtml.so.4
#8  0x41ebf11e in khtml::CachedImage::data () from /opt/kde3/lib/libkhtml.so.4
#9  0x41ebd7a6 in khtml::Loader::slotFinished ()
   from /opt/kde3/lib/libkhtml.so.4
#10 0x41ebd9b7 in khtml::Loader::qt_invoke () from /opt/kde3/lib/libkhtml.so.4
#11 0x4087fe7e in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#12 0x401ac702 in KIO::Job::result () from /opt/kde3/lib/libkio.so.4
#13 0x4020a67c in KIO::Job::emitResult () from /opt/kde3/lib/libkio.so.4
#14 0x40211cfc in KIO::SimpleJob::slotFinished ()
   from /opt/kde3/lib/libkio.so.4
#15 0x402124aa in KIO::TransferJob::slotFinished ()
   from /opt/kde3/lib/libkio.so.4
#16 0x401ff4a7 in KIO::TransferJob::qt_invoke ()
   from /opt/kde3/lib/libkio.so.4
#17 0x4087fe7e in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#18 0x40880626 in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#19 0x401b1f4c in KIO::SlaveInterface::finished ()
   from /opt/kde3/lib/libkio.so.4
#20 0x401e5428 in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#21 0x401c0a33 in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#22 0x401c1c2b in KIO::Slave::gotInput () from /opt/kde3/lib/libkio.so.4
#23 0x401e884a in KIO::Slave::qt_invoke () from /opt/kde3/lib/libkio.so.4
#24 0x4087fe7e in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#25 0x408804ad in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#26 0x40bd4260 in QSocketNotifier::activated ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#27 0x4089fa70 in QSocketNotifier::event ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#28 0x4081cd5f in QApplication::internalNotify ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#29 0x4081ea83 in QApplication::notify () from /usr/lib/qt3/lib/libqt-mt.so.3
#30 0x40566771 in KApplication::notify () from /opt/kde3/lib/libkdecore.so.4
#31 0x40810e76 in QEventLoop::activateSocketNotifiers ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#32 0x407ca242 in QEventLoop::processEvents ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#33 0x40834e51 in QEventLoop::enterLoop () from /usr/lib/qt3/lib/libqt-mt.so.3
#34 0x40834c96 in QEventLoop::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#35 0x4081e94f in QApplication::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#36 0x4181615c in kdemain () from /opt/kde3/lib/libkdeinit_konqueror.so
#37 0x40018554 in kdeinitmain () from /opt/kde3/lib/kde3/konqueror.so
#38 0x0804e6f5 in launch ()
#39 0x0804ee0c in handle_launcher_request ()
#40 0x0804f3c9 in handle_requests ()
#41 0x0804fb9a in main ()
Comment 1 George Staikos 2005-06-08 19:02:46 UTC 
testkhtml: loader.cpp:147: virtual void 
khtml::CachedObject::deref(khtml::CachedObjectClient*): Assertion 
`m_clients.find( c )' failed.
Comment 2 Gerry Gavigan 2005-06-08 20:23:15 UTC 
I don't know if this related or not - but I get this on going to a number of websites including www.guardian.co.uk
[KCrash handler]
#7  0x417284b8 in Program::addControlInCurrentFrame ()
   from /usr/lib/libflash.so.0
#8  0x4172ac30 in CInputScript::ParseSetBackgroundColor ()
   from /usr/lib/libflash.so.0
#9  0x4172d1bd in CInputScript::ParseTags () from /usr/lib/libflash.so.0
#10 0x4172d5d6 in CInputScript::ParseData () from /usr/lib/libflash.so.0
#11 0x41720439 in FlashParse () from /usr/lib/libflash.so.0
#12 0x416ee083 in NPP_Write () from /usr/lib/browser-plugins/libnpflash.so
#13 0x416ef32d in Private_Write () from /usr/lib/browser-plugins/libnpflash.so
#14 0x08054902 in NSPluginInstance::NPWrite ()
#15 0x08059ec7 in NSPluginStreamBase::process ()
#16 0x08059fb0 in NSPluginStreamBase::pump ()
#17 0x0805a0c1 in NSPluginStream::data ()
#18 0x0805a1e7 in NSPluginStream::qt_invoke ()
#19 0x40b9be7e in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#20 0x401d8b64 in KIO::TransferJob::data () from /opt/kde3/lib/libkio.so.4
#21 0x401d8e73 in KIO::TransferJob::slotData () from /opt/kde3/lib/libkio.so.4
#22 0x40209497 in KIO::TransferJob::qt_invoke ()
   from /opt/kde3/lib/libkio.so.4
#23 0x40b9be7e in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#24 0x401d9222 in KIO::SlaveInterface::data () from /opt/kde3/lib/libkio.so.4
#25 0x401ef4ad in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#26 0x401caa33 in KIO::SlaveInterface::dispatch ()
   from /opt/kde3/lib/libkio.so.4
#27 0x401cbc2b in KIO::Slave::gotInput () from /opt/kde3/lib/libkio.so.4
#28 0x401f284a in KIO::Slave::qt_invoke () from /opt/kde3/lib/libkio.so.4
#29 0x40b9be7e in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#30 0x40b9c4ad in QObject::activate_signal ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#31 0x40ef0260 in QSocketNotifier::activated ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#32 0x40bbba70 in QSocketNotifier::event ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#33 0x40b38d5f in QApplication::internalNotify ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#34 0x40b3aa83 in QApplication::notify () from /usr/lib/qt3/lib/libqt-mt.so.3
#35 0x4084d771 in KApplication::notify () from /opt/kde3/lib/libkdecore.so.4
#36 0x40b2ce76 in QEventLoop::activateSocketNotifiers ()
   from /usr/lib/qt3/lib/libqt-mt.so.3
#37 0x0805700b in QXtEventLoop::processEvents ()
#38 0x40b50e51 in QEventLoop::enterLoop () from /usr/lib/qt3/lib/libqt-mt.so.3
#39 0x40b50c96 in QEventLoop::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#40 0x40b3a94f in QApplication::exec () from /usr/lib/qt3/lib/libqt-mt.so.3
#41 0x0805b5e3 in main ()
Comment 3 Maksim Orlovich 2005-06-08 21:42:38 UTC 
Testcase:


<script language="javascript">

function showSideImage()
{
      window.document.images['sidead105'].src = "no-such-image";
}

function hideLink() {
      window.document.images['sidead105'].style.display="none";
}

</script>


<img onerror="hideLink()" src="http://www.kde.org/error" name="sidead105">

<script language="javascript">showSideImage();</script>
Comment 4 Maksim Orlovich 2005-06-08 22:32:52 UTC 
OK, I understand what's going on here. Consider where the final deref is being called from:
0: /opt/kde4/lib/libkdecore.so.4(_Z11kdBacktracei+0x3a) [0xb7628002]
1: /opt/kde4/lib/libkdecore.so.4(_Z11kdBacktracev+0x1f) [0xb7628263]
2: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml12CachedObject5derefEPNS_18CachedObjectClientE+0x1f) [0xb627e96d]
3: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml11CachedImage5derefEPNS_18CachedObjectClientE+0x25) [0xb628022f]
4: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml11RenderImageD0Ev+0x6c) [0xb6217c2c]
5: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml12RenderObject11arenaDeleteEPNS_11RenderArenaEPv+0x3d) [0xb61fe099]
6: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml12RenderObject6detachEv+0x65) [0xb61fe053]
7: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml15RenderContainer6detachEv+0xcd) [0xb62018ad]
8: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml9RenderBox6detachEv+0x38) [0xb6203b14]
9: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM8NodeImpl6detachEv+0x37) [0xb61893ed]
10: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM12NodeBaseImpl6detachEv+0x5d) [0xb618aaed]
11: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM11ElementImpl11recalcStyleENS_8NodeImpl11StyleChangeE+0x195) [0xb6190cb3]
12: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM15HTMLElementImpl11recalcStyleENS_8NodeImpl11StyleChangeE+0x21) [0xb61b6a4d]
13: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM11ElementImpl11recalcStyleENS_8NodeImpl11StyleChangeE+0x2c4) [0xb6190de2]
14: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM15HTMLElementImpl11recalcStyleENS_8NodeImpl11StyleChangeE+0x21) [0xb61b6a4d]
15: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM11ElementImpl11recalcStyleENS_8NodeImpl11StyleChangeE+0x2c4) [0xb6190de2]
16: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM15HTMLElementImpl11recalcStyleENS_8NodeImpl11StyleChangeE+0x21) [0xb61b6a4d]
17: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM12DocumentImpl11recalcStyleENS_8NodeImpl11StyleChangeE+0x36f) [0xb617bc8d]
18: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM12DocumentImpl15updateRenderingEv+0x47) [0xb617bd77]
19: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM12DocumentImpl24updateDocumentsRenderingEv+0x84) [0xb617be04]
20: /opt/kde4/lib/libkhtml.so.4(_ZN3KJS6Window20afterScriptExecutionEv+0x19) [0xb62dbe1b]
21: /opt/kde4/lib/libkhtml.so.4(_ZN3KJS15JSEventListener11handleEventERN3DOM5EventE+0x3fa) [0xb630e88e]
22: /opt/kde4/lib/libkhtml.so.4(_ZN3KJS19JSLazyEventListener11handleEventERN3DOM5EventE+0x45) [0xb630efb3]
23: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM8NodeImpl17handleLocalEventsEPNS_9EventImplEb+0xdf) [0xb6188c1b]
24: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM8NodeImpl20dispatchGenericEventEPNS_9EventImplERi+0x1b3) [0xb6187fa1]
25: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM8NodeImpl13dispatchEventEPNS_9EventImplERib+0x5a) [0xb6187d5e]
26: /opt/kde4/lib/libkhtml.so.4(_ZN3DOM8NodeImpl17dispatchHTMLEventEibb+0x7a) [0xb61882a8]
27: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml11RenderImage14notifyFinishedEPNS_12CachedObjectE+0x97) [0xb6219197]
28: /opt/kde4/lib/libkhtml.so.4(_ZN5khtml11CachedImage5errorEiPKc+0x147) [0xb628131d] <--- see this?

This loop is iterating over the clients dictionary, but it got changed in the process! I am not quite sure of how to fix this: this case removes items, and I know how to address that, but I am not sure of what to do if new ones are added. Ideas? (Perhaps there is a way of making the iteration safe, or may be the event need to be delayed somehow..)
Comment 5 Maksim Orlovich 2005-06-08 22:38:16 UTC 
Actually, even before that --- when we're inside notifyFinished, we get deleted!  I guess that should be addressed by doing the deref on cached image first, so the null is set properly for the destructor, though even that is nasty, and still leaves the iteration issue. (It also seems that the arena needs valgrind annotations)
Comment 6 Maksim Orlovich 2005-06-08 23:40:14 UTC 
Created attachment 11378 [details]
Proposed fix

This should fix the crash; I am not quite comfortable with the issue of the
changes to client set, but it's safer than I thought...
Comment 7 Gerry Gavigan 2005-06-09 02:09:18 UTC 
I'll take your word for it and wait for the next RPM, I'm just a user, really 
pleased to have KDE


On Wednesday 08 June 2005 22:40, Maksim Orlovich wrote:
[bugs.kde.org quoted mail]
Comment 8 Maksim Orlovich 2005-06-24 03:55:05 UTC 
Created attachment 11562 [details]
better patch - WC merge

This, IMHO, is a better fix, extracted from WebCore (not the current code, but
a slightly older version; I'd rather not do two changes at once); as it fixes a
lot more bugs.
Comment 9 Maksim Orlovich 2005-06-25 05:24:05 UTC 
SVN commit 428727 by orlovich:

Merge in http://www.cs.cornell.edu/~maksim/WC/changesets/1771.html 
from WC. This prevent recursion bugs happening in onload events.
(Note: the current WebCore code is different, and I know at least 
some bugs it fixes, but I don't want to make 2 
changes at once. Better get this tested for a bit before moving on)

Fixes #107052, and the crash in #99480, as well as some synthetic onload
testcases I cooked up. Some testcases upcoming up
BUG:107052
CCBUG:99480




 M  +3 -0      html/html_documentimpl.cpp  
 M  +35 -5     rendering/render_image.cpp  
 M  +3 -0      rendering/render_image.h  
 M  +61 -1     xml/dom_docimpl.cpp  
 M  +10 -0     xml/dom_docimpl.h
Comment 10 Maksim Orlovich 2005-07-30 17:14:14 UTC 
*** Bug 109888 has been marked as a duplicate of this bug. ***